Share this Page

A Cheapskate's Guide to Free Security Software

From an IT security guru and his peers across the country, plenty of products
you can get your hands on for free, now that you know what to look for.

The following was one of our most popular 2008 articles; it ran
online on Aug. 8.

EVERYBODY LIKES FREE. After interviewing a number
of my colleagues in higher education, I've put together the
following "shopping list" of some of the most popular free
security software programs currently in use at colleges
and universities across the country.

Nessus

Nessus, the world's leading
vulnerability scanner, was my respondents' top
choice. Here's what it does: Nessus starts by performing a
port scan either with internal portscanners or an external
scanner such as Nmap to find out which
ports are open; then it attempts various attacks on the open
ports. Nessus was created by Renaud Deraison in 1998,
and until 2005 was open source software. The Nessus 3
engine, now based on proprietary code, is still available to
everyone free of charge, but the cost of the plugins is a little
more complicated. In 2008, Tenable Network Security, the company that owns the
software, divided users into two categories: "home users"
and "commercial users." For home users (which include
personal and nonprofit users), Nessus launched HomeFeed to provide the plugins at no charge. For individuals
and organizations that want to use Tenable's Nessus plugins
commercially, the company created ProfessionalFeed,
which provides subscribers the latest vulnerability and
patch audits, configuration and content audits, and commercial
support for an annual fee.

Nmap

Nmap, which stands for "Network Mapper," is a
port scanner available for free under a GNU General Public License (GPL), and is used for network
inventory, managing service upgrade schedules, and
monitoring host or service uptime. It looks at raw IP packets
to determine which hosts are available, what operating
system they are running, which applications they are offering,
and what types of packet filters/firewalls are in use--
and lots of other good stuff. Nmap is supported on the following
operating systems: Linux, Microsoft
Windows, FreeBSD, OpenBSD, Sun Solaris, SGI IRIX, Mac OS X, HP-UX, NetBSD, SunOS, and Amiga. Support for
Nmap comes from the user community, which maintains
the Nmap-hackers mailing list and the nmap-dev list.

Snort

A perennial favorite, Snort is an
open source intrusion prevention and detection
system that uses a rule-driven language that combines signature-,
protocol-, and anomaly-based inspection methods.
Snort is commonly used in three ways: 1) as a packet sniffer
similar to tcpdump; 2) as a packet
logger; or 3) as a full real-time network intrusion detection
and prevention system that can detect a variety of attacks
and probes such as buffer overflows, stealth port scans,
CGI attacks, SMB probes, and OS fingerprinting attempts.

Snort was written by Martin Roesch in 1998 (the same
year as Nessus) to be an open source "lightweight" intrusion
detection system, in contrast to the commercially
available systems. But that's no longer the case: Snort is
now a mature, feature-rich system; it has become a de
facto standard in intrusion detection and prevention, and
a real "heavyweight."

The availability of plugins is important, since the software
uses a modular rule-based architecture. Snort's parent company, Sourcefire, offers a free rules
feed; rules are delayed five days from their commercial release. Additional sources of rules include Bleeding Edge
Threats.

Yet, Snort wasn't the only free package in this space
identified by respondents. OSSEC is an
open source host-based intrusion detection system that
runs on Linux, OpenBSD, FreeBSD, Mac OS X, Solaris,
and Windows, among others. Bro is an
open source Unix-based package that runs
on commodity PC hardware, and was designed for use by
Unix experts to be a research platform for intrusion detection
and traffic analysis. It is not for someone looking for
an "out of the box" solution. But, if you're looking for a
product that is flexible and highly customizable, Bro is
worth a look. Some sites run another IDS as their front-line
defense and use Bro to verify the results and experiment
with new strategies.

After these first three products, picks varied widely with
no clear-cut leaders. Following are some of the packages
that were in the running.

Antivirus/Malware

Adware scans a PC for
spyware and adware, as well as removes trojans, dialers,
and worms.

ClamAV is an open source antivirus
software toolkit for Unix and Windows operating systems
and is particularly useful for scanning e-mail. It is available
from the same folks who own Snort.

Secunia Personal Software Inspector protects against Windows-based software vulnerabilities
and is a version of Secunia's commercial product, available
to private individuals for free.

Tripwire is one of the original file
integrity checkers. Though the software originally was
open source, the company now focuses on an enterprise
configuration that is not free. However, a free Linux version
can still be found at SourceForge, where there is also a free Tripwire replacement,
AIDE, which runs on many Unix-based operating systems.

VirusTotal is a free online service
that uses multiple antivirus engines to analyze submitted
files for viruses, worms, trojans, and all kinds of malware.
Encryption

Gnu Privacy Guard is an open source
implementation of the famous PGP (Pretty Good Privacy) encryption program by Phil Zimmerman
and runs on GNU/Linux, FreeBSD, Windows XP, and
Mac OS X, among others.

Nikto is an open source web server scanner which runs on any system that supports
a basic PERL installation, including
Windows, Mac OS X, and Linux; it performs comprehensive
tests against web servers to locate vulnerabilities.

Paros Proxy is another program
designed to evaluate the security of web applications.

OpenSSH provides secure
encrypted communications between two untrusted hosts
over an insecure network.

Firewalls, Packet Filters, and Other Tools

Argus is an open source system
and network-monitoring tool with a well-designed
web interface.

Autoruns reveals which programs are configured to
run during system bootup or login on a Windows computer.

Iptables is the command line program
enabling systems administrators to configure Linux packet
filtering rulesets.